216d99e585
The extension relay server authenticates using an HMAC-SHA256 derived token (`openclaw-extension-relay-v1:<port>`), but the Chrome extension was sending the raw gateway token. This caused both the WebSocket connection and the options page validation to fail with 401 Unauthorized. Additionally, the options page validation request triggered a CORS preflight (due to the custom `x-openclaw-relay-token` header) which the relay rejects because OPTIONS requests lack auth headers. The options page now delegates the check to the background service worker which has host_permissions and bypasses CORS preflight. Fixes #23842 Co-authored-by: Cursor <cursoragent@cursor.com> (cherry picked from commit bbc654b9f063ef24e7d511275e7d8c670414970b)
1.6 KiB
1.6 KiB